VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 47 of 49
  • CVE-2020-10758Sep 16, 2020
    risk 0.00cvss epss 0.02

    A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

  • CVE-2020-15168Sep 10, 2020
    risk 0.00cvss epss 0.02

    node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have…

  • CVE-2020-8203Jul 15, 2020
    risk 0.00cvss epss 0.05

    Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

  • CVE-2020-15100Jul 14, 2020
    risk 0.00cvss epss 0.00

    In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1.

  • CVE-2020-13250Jun 11, 2020
    risk 0.00cvss epss 0.03

    HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.

  • CVE-2020-10705Jun 10, 2020
    risk 0.00cvss epss 0.01

    A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

  • CVE-2020-12697May 13, 2020
    risk 0.00cvss epss 0.01

    The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries.

  • CVE-2020-8552Mar 27, 2020
    risk 0.00cvss epss 0.02

    The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

  • CVE-2020-8551Mar 27, 2020
    risk 0.00cvss epss 0.01

    The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API…

  • CVE-2019-11939Mar 18, 2020
    risk 0.00cvss epss 0.02

    Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This…

  • CVE-2020-7219Jan 31, 2020
    risk 0.00cvss epss 0.02

    HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.

  • CVE-2020-7218Jan 31, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.

  • CVE-2020-7226Jan 24, 2020
    risk 0.00cvss epss 0.03

    CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of…

  • CVE-2019-16770Dec 5, 2019
    risk 0.00cvss epss 0.02

    In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait…

  • CVE-2019-12406Nov 6, 2019
    risk 0.00cvss epss 0.06

    Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments.…

  • CVE-2019-17359Oct 8, 2019
    risk 0.00cvss epss 0.09

    The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

  • CVE-2019-16865Oct 4, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

  • CVE-2019-15753Aug 28, 2019
    risk 0.00cvss epss 0.03

    In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of…

  • CVE-2019-15544Aug 26, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.

  • CVE-2019-9514Aug 13, 2019
    risk 0.00cvss epss 0.83

    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the…